EU Says Do Not Track Self Regs There Don't Measure Up

Letter to IAB Europe and European Advertising Standards Alliance says current code of conduct does not meet requirements of e-Privacy Directive

The EU has signaled to interactive advertisers in Europe that their self-regulatory efforts still do not comply with its new privacy guidelines.

In a letter to the heads of IAB Europe and the ad self-regulatory body, European Advertising Standards Alliance, the EU's data protection working group reiterated that its current code of conduct "does not meet the consent and information requirements of the revised e-Privacy Directive."

Article 29 working Party Chairman Jacob Kohnstamm asked them to work with the EU on a new standard, to be adopted in June, that would have at its baseline that all browsers offer their users the "active and informed choice to allow or disallow tracking" and that disallowing means no information is tracked, not just that they are not being shown targeted ads.

To meet the EU privacy standard, all browsers would have to have a consent mechanism, which could then be combined with an opt-out icon on Websites.

The EU adopted a Data Privacy Directive in 1995 to "harmonize" privacy protection within EU and prevent personal information from flowing to other countries that EU believed lacked adequate protections. That was later updated to include e-privacy. The directive applies to affiliates of U.S. corporations and requires them to adhere to seven basic principles: Notice, purpose (data should be relevant to its use), consent, security, disclosure, access (ability to correct inaccuracies in data) and accountability.

The fact that each EU member country is responsible for incorporating them into its own privacy laws has created problems for U.S. affiliates, legislators and witnesses agreed at a Hill hearing last fall.

The White House two weeks ago endorsed a browser-based self-regulatory do not track regime proposed by the Digital Advertising Alliance (DAA), but indicated it would ultimately need some legislative backstopping. The browser-based option is still an opt-out, rather than opt-in mechanism, for Web surfers. But those who opted out would be preventing "most" data that would otherwise be collected, DAA argues, with narrow carve-outs for fraud protection.

Jeff Chester of the Center for Digital Democracy suggests the EU letter should be a warning to U.S. regulators. "Since the online ad industry's self-regulatory approaches are similar on both sides of the Atlantic, the Article 29 statement underscores that the U.S. self-regulatory system also has serious flaws."

But the administration has joined with some Republican and Democratic legislators to argue that while the U.S. needs baseline principles to give its trading partners more confidence in exchanging data with U.S. companies, it should not follow the EU model in lockstep. Some industry observers argue EU enforcement is sporadic and inconsistent, with a seemingly disproportionate number of American companies targeted for compliance violations. These challenges facing U.S. businesses in the European theater and the lessons learned from the EU experience will be closely examined at the hearing."